Techniques
Sample rules
DMSA Link Attributes Modified
- source: sigma
- technicques:
- t1078
- t1078.002
- t1098
Description
Detects modification of dMSA link attributes (msDS-ManagedAccountPrecededByLink) via PowerShell scripts. This command line pattern could be an indicator an attempt to exploit the BadSuccessor privilege escalation vulnerability in Windows Server 2025.
Detection logic
condition: selection
selection:
ScriptBlockText|contains|all:
- .Put("msDS-ManagedAccountPrecededByLink
- CN=